Ok, so I know this must be a very basic question, but my problem is the following: I have developed my first PHP mini-app (so I'm fairly new to this) and I am pretty sure that there are two files of my web application that should be somehow protected from prying eyes

the one with the details to connect to the db

the one with the password hashing and the salt key

How should I go about protecting them? I have read somewhere that they should be put somewhere above my public directory, but then how will the app be able to access them? Should I change something in my apache config so that the Document Root is different than something else?

Any other things I should consider in terms of security? So far I am escaping every user field that goes into the db with mysql_real_escape_string(), but apart from that and hashing and salting the passwords, I'm not doing anything else.

1 Answer
1

Without knowing more about your app or seeing some real code it is hard to give any detailed security advice. That being said here are some things that come to mind after reading your post:

1: Keep your config file with the database connect info and salt key outside the public directory and chmod it to 444 or 644. You can access one directory above your script by doing something like this <?php include('../config.php'); ?>

2: Escaping any info going into a database should always be done, but consider switching to mysqli since mysql_real_escape_string is deprecated as of PHP 5.5.0, and will be removed in the future.

Thanks for your answer. I will have to keep trying #1 until I get it. I didn't know about mysql_real_escape_string being deprecated, I will check it out. Also, thanks for the link.
–
margaritamFeb 27 '13 at 9:16